Defining Operational Risk is not as easy as it looks
One of the most basic steps in any risk management process is to define your operational risks. Risks are typically recorded in a risk register together with their related controls (a topic to be covered in a later blog). This sounds easy but for any of you that have reviewed a range of risk registers or attempted it yourselves, you might have found that it is, in fact, a complex task.
The two main issues to consider are:
- What exactly are you describing? Your risk description needs to be consistent between all risks.
- What level of granularity and detail should the risk description contain?
What are you describing?
Risk descriptions typically found in risk registers might look like this:
- Human error
- Reputation damage
- Poor quality training
- Loss of confidential data
All of the above are inconsistent in that they are describing different parts of the same risk. Human error is the risk cause, reputation damage is the risk impact, poor quality training is a weak control and loss of confidential data is the risk event. These elements will be described in a later blog series we will be doing on Bow Tie Analysis.
Each organisation should decide on a consistent standard for defining and recording all risks. We would suggest the following:
- The main short name for the risk is the risk event. i.e. Loss of confidential data.
- The risk is described in terms of its event (loss of confidential data), caused by Human error and resulting in reputation damage.
- Training is recorded as a control over the risk and as the training is poor quality it would be rated poorly when control effectiveness is assessed.
What level of granularity and detail?
There are three levels of granularity and detail you can choose from when recording risks. These are, from the least to most granular.
- Risk event only: “Loss of Confidential Data.”
- Risk event, main cause and main impact “Loss of confidential data, caused by human error, leading to reputation damage”. This is often referred to as a risk statement.
- Risk event, main and secondary causes, main and secondary events. “Loss of confidential data, caused by human error, system failure and external cyber-attack, leading to reputation damage, $ fines and $ losses”.
The approach taken by each organisation may be different depending on the maturity of the business. The method needs to be kept as simple as possible while providing enough granularity to be useful.
The following provides an example of level 3 above using the Protecht. ERM system. This method is based on:
- Defining the risk event and linking it to a central library of risk event categories.
- Defining the risk causes and linking to a central library of risk cause categories.
- Defining risk impacts and linking to a central library of risk impact categories.
Whichever method you decide to use in your risk management framework, it needs to be consistently applied and communicated to all persons involved in the risk management process. This will ensure that the risk registers are understandable and consistent and that they support the generation of a quality data set that can be used for value add reporting and risk analytics.